Tag Archives: security policy

“Five Eyes” intelligence document leak – Australian Defence bureaucrat off to jail

This week saw the news that the junior bureaucrat from the Australian Department of Defence, has been jailed for one year, following his guilty plea in the ACT Supreme Court to posting a secret Defence Intelligence Organisation, to an online forum. Julia McCarron gives her take on this quite staggering series of events.

Not a ‘Gooday’ for the Canberra APS

Surprise!

Well this a strange one for sure. So, Michael Scerba, a former junior Defence bureaucrat has been jailed in Australia for uploading secret information online. He downloaded a 15 page document from a secret Defence Intelligence report, burnt it to disk, took it home and posted the first two pages on an on-line forum. The post was viewed and commented on by a dozen people and re-posted but disappeared an hour after its original post.

This is bad on so many levels …

When they say he was a junior bureaucrat, he was actually a 21 year old Department of Defence (DoD) graduate … with only 8 months on the job behind him and a secret (negative vetting level one) clearance … and apparently “his mental health had impaired his judgement”. I accept that the article does not expand on these mental health issues or when these issues occurred, and I am in no way implying that mental health of any kind should be a barrier to employment as I do not believe it should in general. However, we are talking about a position in National security here with access to secret information, so assuming his issues occurred pre-employment. So first question: Why was a 21 year old graduate with mental health issues given a level of clearance high enough to enable access to, and the capability to download, information relating to National security?

You've got to have a system.

Something has to have gone wrong with the vetting process and/or the employment process where access rights and privileges are determined and applied. If he had underlying mental health issues surely these should have been detected prior to his employment or during the induction process. I would presume DoD staff have to go through stringent mental stability checks checks for security clearance purposes to minimise the risk of coercion or subversion? This seeming lack of procedure demonstrates the importance of a robust vetting process, particularly in a role so critical to the security of the nation. It also demonstrates the need to ensure privileges are granted relevant to the job role and on a ‘need to know’ basis. Did he really need to access to information that revealed the identity of intelligence sources, gathering methods and classified aspects of strategic partnerships between Australia and other countries?

Advent IM Cyber SecurityIt also opens up the question of removable media access and control in sensitive areas. Second question: Did he really need to be granted the ability to burn information to disk or USB at the level he was working at? Are there not search facilities at access points a la ‘Spooks’ that detect unauthorised media? I would have thought again that some sort of policy would have existed that meant staff were only allowed use of authorised removable media and that no media was allowed to be removed from the premises?

And finally, the claim by the Judge that, “Scerba had not intended to compromise national security, although he knew the disclosure could cause harm”. I find this claim quite astonishing. So he’s employed in a DoD job, with access to information pertinent to National security and he didn’t know the disclosure could cause harm or compromise National security? Really? Question 3: What kind of induction training was the DoD providing? I can’t believe they do not put employees through extensive security training highlighting how to handle data at various classification levels, the importance of data classification and handling and the consequences of failing to comply with policy. If they don’t then some serious questions need to be asked!

I think I’m with retired Lieutenant General Peter Leahy on this one though; jail time was definitely required for this serious National security data breach. But 12 months with only 3 served does not send out a good message to others employed by the DoD who, like Scerba, believe Julian Assange is their hero. This could just be the beginning unless changes to process are tightened up.

Post comment based on an online article in the Canberra Times dated 5th November 2015.

Advertisements

The Insider that rarely gets questioned…

Insider Threat certainly isn’t going away, is it? Reading the continual survey results and news items I see published, it will still be an issue for a long time to come. We know that a lot of the Risk that Insiders bring can be mitigated with good policy and process combined with tech that is fit for purpose. But what of those insiders we don’t really like to  challenge? I speak of the C-Suite; our boards and senior management… surely they couldn’t possibly indulge in risky behaviour?

Risky behaviour is actually quite prevalent in our board rooms, security-wise I mean. (Check out https://uk.pinterest.com/pin/38632509277427972/) Unfortunately, some of the info assets that this level of colleague has access to is quite privileged and so in actual fact, the security around their behaviour actually needs to be tighter but in reality things are not always this watertight and IT security and other security functions will make huge exceptions, based upon the role and seniority instead of looking at the value of the information asset and how it needs to be protected. (Check out https://uk.pinterest.com/pin/38632509276681553/)

Its worth noting that senior execs are frequently the targets of spear phishing and given the level and sensitivity of assets they have access to, this is a huge risk to be taking with organisational security. Ransomware could also be deployed through this method and as a means of coercion. Whilst considering this level of access, we also need to think about the purpose of attack. If this was part of an industrial espionage type of operation, the plan might not be to steal data, it could be to destroy or invalidate it, in situ, in order to affect stock prices, for instance.  It is also worth noting that ex-execs or managers can still be a target and that means they still constitute a potential organisational threat.

Privileged access users like system administrators (sysadmins) also pose a potential threat in the same way as senior business users as there may little or no restrictions on what they can access or edit. A rogue sysadmin or similar could cause absolute chaos in an organisation, but the organisation might not even realise it, if they have also got the ability to cover their tracks. According to the Vormetric 2015 Insider Threat Report, the biggest risk group was privileged users and Executive Management categories were responsible for 83% of the overall risk from Insiders. Yet according to the same piece of research, only 50% have Privileged User Access Management in place and just over half had Data Access monitoring in place.

One more layer to add on top of this would be BYOD. Many businesses have considered whether BYOD is a good choice for them and many have decided to adopt it. Whilst data suggests it may contribute to data breach in adopting organisations, it can be a problem even for those who do not adopt it, as yet again senior execs are allowed latitude regarding the devices they use and may not be subject to the same scrutiny or oversight that general employees are. We know that almost a third of employees have lost up to 3 work mobile devices, we do not know how many have lost their own device also or whether it contained sensitive or valuable business data. We do know that some of these will be senior executives though and this, combined with other risky behaviours (check this out https://uk.pinterest.com/pin/38632509277975844/) will be a major contributor to the risk profile that they represent.

Social Engineering – a fascinating look from a real expert….

Advent IM Social Engineering security
Helpdesk1 to Helpdesk 2, come in. Over.

Readers of this blog will have encountered our security-based content on the concept of Social Engineering before. This post is a fascinating glimpse from a firsthand user – the pitfalls, the uses and the reactions.

Are your colleagues security aware enough to be able to keep their nerve and stick to policy when faced with challenging and anxiety-raising situations like we see detailed below?

Would you or your colleagues recognise any of the characteristics of a Social Engineering attempt? It’s not just about having a policy but about everyone understanding it  and feeling confident enough to apply it…to everyone. Do manners and cultural norms play a part in how the social engineer gets either access to or information on, things that they shouldn’t? Reading this account, undoubtedly. Including a module on Social Engineering would be  a very wise idea in any organisations’ Security Awareness Training program.

IT Helpdesk 1 to Helpdesk 2 – “Who was that on the phone?  I could hear him shouting and threatening you from here”.

IT Helpdesk 2 to Helpdesk 1 – “The CFO… who’s trying to work on his laptop, from home.  He can’t login……again, he said.  He wouldn’t let me talk him through anything, said he’d done everything I tried to suggest, he just wouldn’t listen to any of our standard procedures.  He just kept shouting and saying, he’d be in here tomorrow to fire me, and have me escorted off the premises.  All he wanted was for me to reset his password and check his complete authentication process details, so he could get some work done.   He said he didn’t want a confirmation email or a Helpdesk ticket on the system, telling everyone he couldn’t use his laptop, and I wouldn’t want him telling the head of ICT that I couldn’t or wouldn’t, help him out”.

IT Helpdesk 1 to Helpdesk 2 – “What an ar5e!”……..

“A common enough Social Engineering attack, from the perspective of the recipient of the attack, one I’ve used many times myself. The tools of the Social Engineer are Manipulation, Domination, Coercion and then end with the hope of a Carrot, after the Stick, to make them feel lucky to have escaped so lightly.  Sometimes flattery and feigned stupidity will work, but the Social Engineer needs to be confident in his/her ability and flexible enough to adapt to the emerging responses they get from the subject of the attack.  Confidence in eliciting in-depth information, by pre-loading the recipients mind with information to make your questions more readily accepted by them, is another key skill of the Social Engineer.  In the example above the CFO was selected because their personal Facebook page showed he was on holiday with the family somewhere hot and sunny that looked like Mexico.  Don’t get me started on Social Media, and the information people just broadcast out there, to the unknown, unrestricted and dark corners of the Internet.

Advent IM social engineering expert

We all want to help – naturally. We also want to make the shouting stop…

It’s in the human makeup to want an unpleasant or embarrassing problem to be someone else’s and not yours.  The human mind can be likened to Software we all understand, it is possible to overload the targets mind and insert custom instructions.  Just as a Hacker executes code to cause a stack or buffer overflow.  A favourite Social Engineering attack to illustrate this is when you need to get buzzed through from reception without being escorted.  You rush in trying to explain you’re there to see someone important at the company mentioned by name, you’ve been there many times before and know the way.  You rush on to say that you’re terribly late, you’re also trying to sign in and keep the initiative before the receptionist can process this overload of information, or think to do what their procedure says they should do.  This is known as ‘Pretexting’, preloading the human mind with information to support your story and persona to make it all more credible.  You then receive your pre-planned imaginary phone call, “Sorry, I have to take this” you say, the call quickly escalates and you launch into a blistering verbal assault on the person who isn’t really on the other end.  Phone still to your ear, and still giving full vent to your ire, you motion in the direction of the receptionist and towards the controlled door they will have been watching and listening most intently as you start walking towards the door.  You’ve overloaded them, you’ve inserted the belief you’re someone important, not to be denied or argued with, especially if you’re off to see one of the senior officers of the organisation, the subject of the attack will want you to say how helpful they were.   

I’ve found that 9 times out of 10, to make this horrid person go elsewhere and be someone else’s problem, you’ll get buzzed through usually with a comment from the receptionist that they’ll call ahead to say you’re coming.  As that isn’t where in the building you are really heading, that’s not a problem.  It’ll take some time for them to realise you haven’t arrived, by which time you will have found your next security obstacle to overcome or target of your next Social Engineering attack and started to penetrate deeper into the building and closer to your final goal. 

The key to becoming less susceptible to Social Engineering is to find out more about how the attackers influence and control people.  As with software Hackers, the process is not a ‘one time attack’, there will be supporting or enabling attacks, probing enquiries, all building the picture of the target organisation before the ‘Big-One’.  Remember credibility during the attack will be enhanced by the use of morsels of the truth, names or organisational details of the target organisation.  Social Engineers are hackers of people.  You need to start to think of them in that more familiar way and then your perceptions will change and you will tune in to the attack indicators that will allow earlier detection of their activities, as you already do with software hackers and malware writers.  Staff awareness of the techniques of Social Engineering can dramatically improve the resistance to Social Engineering attacks, just as the Police try to educate the vulnerable about the local activities of Con Men.”

Senior Advent IM Security Consultant

Photos: Microsoft Office

Further viewing on this topic can be found on our Slideshare stream here http://www.slideshare.net/Advent_IM_Security/social-engineering-insider-and-cyber-threat you will need sound

Bring Your Own Device to work, let’s think about that one…

Should it work for you but more importantly can it work for you?

Dave Wharton, Senior Security Consultant, Advent IM

With the proliferation of Smartphones and Tablets there is a growing trend that allows or turns a blind eye to the use of personal devices for work purposes but is it safe and can a company really justify it in the event something goes wrong?  

In an era where flexibility and mobility is the key, there seems to be a growing acceptance by companies (or is it a sense of inevitability) that staff should be allowed to use their own devices to do their work on – BYOD.  Whether this is using a PC at home or using their Smartphones, Tablets and Laptops on the move, there is no question staff are doing it either with or without the blessing of their company.  A recent BBC article on BYOD quoted a survey by Avanade (a business technology company) in which it was found that 88% of executives said employees used their own devices for business purposes (http://www.bbc.co.uk/news/business-17017570).  Another survey found that while 48% of employers would never allow BYOD, 57% agreed that some staff used personal devices without consent.  

So what, might you ask? 

 My PC at work is slow and takes an age to open an email and if I try to do two things at once it just freezes or my boss needs this by tomorrow and I’ll be damned if I’m staying behind again tonight. 

When faced with such challenges is it any wonder that staff want to take advantage of their state of the art device that provides functionality and performance a company ICT manager can only dream of.  The appeal to companies is there also, productivity improves and staff are content but at what price?  Companies that allow BYOD should be under no illusion that it does not come without risk.  By allowing staff to use their own devices, companies are in effect relinquishing control of how their information (sensitive or otherwise) is imported and exported from their business networks and are also allowing the connection of untrusted devices.  Thereby, increasing the risk of malware attacks, data compromise and perhaps more worryingly exposing the business to reputational harm or costly fines in the event of a data protection breach.  Is there any managing director or senior partner who would welcome the scrutiny of the Information Commissioners Officer?

So what is the answer?  The straight forward answer is not to allow it and I am not going to advocate the use of BYOD here.  There are number of reasons why you shouldn’t and perhaps only one reason why you should.  While employee satisfaction is clearly important the main advantage to employers comes down to cost.  By allowing BYOD there are potential savings in ICT infrastructure, as in effect you are passing (somewhat unfairly) the burden of upgrades to your staff.  You could even offer staff an annual bonus for using their own devices and to share the cost of upgrading and still save money.  A very convincing argument in favour of BYOD was also presented on ZDNet (http://www.zdnet.com/blog/virtualization/byod-the-inevitable-reality/3953) although I would disagree (obviously) with the views on security and argue that this is where governance comes in (see below).    

However, as I said earlier if you do so you relinquish control which in my view will always be too high a price.  Now some will argue that as soon as you provide staff with a Smartphone or Laptop you lose control of these devices the second they walk off the premises so why worry about using BYOD.  However, I would contend that this is where governance comes in.  Issuing staff with company owned devices means you determine (among others): 

  • What devices are permitted;
  • The operating system and how it is kept secure with the latest security updates and patches;
  • The strength and quality of passwords used;
  • What anti-malware software is used and perhaps more importantly how it is updated:
  • How data is stored and protected on the device;
  • How and where the device connects to the internet;
  • What removable media (eg. USB memory sticks, CDs, etc) is permitted.

And with governance and compliance checking you can ensure that the above points are always maintained and that the device is used in accordance with your companies acceptable use policies.  Can you honestly say your staff will be as vigilant in protecting their own devices, have a look at this regarding passwords on mobile phones (http://www.scmagazineuk.com/consumers-failing-to-take-mobile-security-seriously-says-sophos/article/209294/).  You may also want to consider that your staff will also probably let their friends and family use their devices but will be less inclined to do so with a company owned device.    

To support my view I have a challenge for you.  Take a look at the advice for an effective cyber defence provided by the UK Government’s Centre for the Protection of Critical National Infrastructure (http://www.cpni.gov.uk/advice/infosec/Critical-controls) and see how allowing BYOD compares against the advice provided.  You might also want to see how your organisation’s ICT infrastructure meets the listed controls while you’re on, particularly if you are holding large volumes of customer personal data.     

So should/can BYOD work for you?  My answer is no on both counts.  My advice is organisations that want to protect their own information and that of their clients should even consider implementing an information security management system.  Such as that provided by the International Standards Organisation 27001 standard, which provides a structured series of controls a part of which will assist organisations in implementing a business-supporting and secure ICT programme.    

However and despite my claim I wouldn’t advocate the use of BYOD, if you find yourself in a position where you have no choice.  There are some steps you can take to reduce the risk (if only slightly) of BYOD: 

  1. Identify what types of devices will be permitted and which won’t;
  2. Authorise permitted devices and block all others;
  3. Segregate particularly sensitive company/client data on the network and consider what access will be permitted from remote devices;
  4. Insist on specific encryption standards for data storage and using WiFi;
  5. Insist that anti-malware is installed, kept up to date and the device is regularly scanned;
  6. Insist that a remote emergency wiping capability is added to the device for if the device is lost/stolen;
  7. Keep up to date with the latest threats and vulnerabilities and have a policy in place for responding accordingly;
  8. Develop, educate and enforce BYOD policies that cover Steps 1 to 7 and:
    •  Immediate actions if the device is lost or stolen
    • The impact on a staff member’s expectation to privacy when connecting their device to the company network;
    • How the device can connect to company networks;
    • Acceptable use for email and the internet;
    • The wiping of data when a staff member upgrades/replaces their device;
    • The wiping of data when a staff member leaves the company.

Consider compliance checking on devices to ensure the above is occurring;

Consider what support options the company might offer for the devices.

Dave Wharton, Senior Security Consultant, Advent IM